W3C home > Mailing lists > Public > site-comments@w3.org > April 2006

Re: [security considerations and validating HTML on your site

From: olivier Thereaux <ot@w3.org>
Date: Mon, 10 Apr 2006 10:23:08 +0900
Message-Id: <029c6cdc374d9928e114494141df84a7@w3.org>
Cc: site-comments@w3.org, Ian B.Jacobs <ij@w3.org>
To: Andy Fentem <LA-Fentem@wiu.edu>

Hello Andy,

Thank you for your enquiry regarding our validation services.

If I understand your questions correctly, you are worried about the 
security of validation for non-public pages.

As you probably noticed already, the validator can indeed check 
protected pages, by asking you for the necessary user and password 
information, which allows it to retrieve (and validate) the protected 
resources. I understand that you may be wondering about thhe safety of 
the password and protected resources once sent to the validator: I can 
assure you that the validator server is maintained with utmost care 
regarding security and privacy, and that sensible information received 
by the validator is neither shared nor at risk of being leaked.

That said, when you validate protected resources, just as when you 
access them with a browser from the internet, the password and page are 
sent "in the clear", and there is a risk (tiny, however), that people 
may be "sniffing" your network. Of course, this is neither something 
you can control, nor us, and the only way to avoid this is to only ever 
access password-protected resources from inside your university's 
network, where the risk of sniffing is probably lower.

If you wish to do that, you could have an instance of the validator 
installed on a server on your network (it's fairly easy to install on 
almost any Web Server):
http://validator.w3.org/docs/install.html

I hope this answers your questions. If not, feel free to contact me for 
further clarifications.

olivier
-- 
olivier Thereaux - W3C - http://www.w3.org/People/olivier/
W3C Open Source Software: http://www.w3.org/Status
Received on Monday, 10 April 2006 01:23:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 24 October 2012 16:21:29 GMT